Article 50 of the EU AI Act, set to apply from 2 August 2026, imposes transparency obligations on companies using generative AI. While Article 50 establishes these obligations in general terms, translating them into concrete technical and organisational measures requires further guidance. The AI Office’s Transparency Code of Practice aims at bridging that gap, offering stakeholders an actionable compliance playbook. But for online platforms navigating an already dense regulatory stack, the Code also raises new questions.
A Compliance Guide Designed to Fill the Gap Left by Article 50 AI Act
In November 2025, the European Commission’s AI Office launched the development of a Code of Practice on Transparency of AI-Generated Content, designed to provide concrete, actionable guidance to help companies comply with the transparency obligations under Article 50 of the EU AI Act.
Article 50 AI Act imposes transparency obligations in broad terms – AI-generated content must be “marked” and “detectable” – but says little about how. The Code fills that gap by specifying technical solutions (digitally signed metadata, imperceptible watermarking, optional fingerprinting), labelling formats (a standardised EU icon featuring the “AI” acronym, short text labels, audio disclaimers), and organisational processes (compliance frameworks, staff training, flagging mechanisms). For companies seeking to implement their obligations ahead of August 2026, this level of detail provides valuable practical guidance.
The Code was drafted by six independent academic Chairs and Vice-Chairs, incorporating written feedback from hundreds of participants and observers – industry, academia, civil society and other stakeholders. The second draft (commented here) was published in February 2026, but a final version is expected to be submitted to the Commission for approval by June 2026. Should the Commission validate the Code at an EU level, it is set to become the central reference framework for AI transparency compliance.
A Voluntary Code With Binding Consequences
While the Code is formally voluntary, its strategic implications are not. If the Commission approves it by implementing act, it will likely create a presumption of compliance for signatories that follow its prescribed methods. The corollary is that companies choosing distinct or alternative marking and labelling techniques – perhaps because they are better suited to their business model or technology stack – may face a heavier burden of proof to demonstrate equivalent effectiveness, interoperability, robustness, and reliability (the four requirements that marking and labelling techniques should meet under Article 50 AI Act). Non-signatories and companies using bespoke solutions should expect to invest substantially more in documentation, testing, and regulatory engagement to justify their choices.
Providers vs. Deployers: Different Roles, Overlapping Obligations
The Code is structured around the fundamental distinction set out in the AI Act. Providers – companies that develop and place AI systems on the market, such as OpenAI (ChatGPT, DALL·E), Google (Gemini, Imagen), or Mistral AI – bear the technical burden. They must embed machine-readable marks into AI-generated outputs using at least two layers (metadata and watermarking), make detection tools available free of charge, and test the robustness and reliability of their marking solutions against adversarial attacks. Deployers – entities that use AI systems under their own authority, such as news publishers using AI drafting tools, or e-commerce platforms generating synthetic product imagery – bear the communicative burden. They must ensure that the end-user actually sees a clear, accessible label disclosing the AI origin of deepfakes and AI-generated text on matters of public interest.
Complexity arises for companies that are both providers and deployers. A platform like Meta develops its own generative AI models (Llama, Emu) – making it a provider – while simultaneously deploying AI features across Facebook and Instagram (AI-generated stickers, chatbots, image editing tools) and hosting massive volumes of user-uploaded AI-generated content. The same applies to TikTok: ByteDance develops proprietary AI models that power the platform’s library of face-swapping filters, voice modification tools, and generative video effects, while simultaneously hosting millions of user-uploaded videos that may incorporate AI-generated or manipulated content from third-party tools. These dual-role platforms must simultaneously ensure their models embed compliant machine-readable marks, apply human-perceivable labels on their own outputs, and manage the flow of third-party AI-generated content. All while maintaining consistency with their existing obligations under, among others, the DSA, GDPR, AVMS Directive, consumer protection, and IP rules.
Classification Grey Areas Remain
Several aspects of the Code might present classification challenges in practice. For instance, the distinction between “AI-generated” and “AI-manipulated” content requires deployers to label each category differently (“Generated with AI” vs. “Manipulated with AI”), but the boundary is inherently fact-specific. A social media platform offering AI-powered photo filters must decide, for each filter, whether the output constitutes a deepfake requiring disclosure – a beauty filter that subtly smooths skin arguably does not, but what about a filter that swaps faces?
Similarly, on tourist accommodation platforms, AI tools can be used – by the company itself or by hosts – to enhance listing photos (removing clutter, improving lighting, or virtually staging furniture). Determining whether those images cross the threshold into “AI manipulation” requiring labelling is far from straightforward.
The artistic works exception permits lighter-touch disclosure for “evidently artistic, creative, satirical, fictional or analogous” works, but what qualifies as “evidently” artistic is subjective and will inevitably be disputed.
The editorial responsibility exception allows deployers to avoid disclosure of AI-generated text on matters of public interest if a natural or legal person holds editorial responsibility and the content has undergone human review – but the Code requires documented internal procedures identifying the responsible person by name, role, and contact details. A platform permitting media publishers to use AI drafting tools under the publisher’s editorial control may assume the exception applies, but if the publisher’s documentation is deficient, the exception fails, and the platform may face questions about its own role in distributing unlabelled content.
Looking Ahead
From a practical standpoint, companies would be well advised not to defer compliance efforts pending the finalisation of the Code. The implementation of the required infrastructure – multi-layered marking, internal classification guidelines, staff training programs, and compliance documentation – requires considerable lead time, and the 2 August 2026 deadline is near.
In particular, platforms integrating third-party AI models should consider imposing contractual obligations on upstream providers to ensure that output is marked in accordance with the Code’s standards. They should also provide channels allowing individuals or third parties (such as trusted flaggers and fact-checkers) to flag missing or incorrect disclosures, aligned with the DSA’s existing notice-and-action mechanism for illicit content – an area where AI Act and DSA compliance can, and should, be operationalised as a single integrated process. It should also be noted that the Code is expressly designed to evolve iteratively to reflect the state of the art: companies should assign internal responsibility for tracking developments in the Code, Commission guidelines, and emerging technical standards. Given that non-compliance with Article 50 carries administrative fines of up to €15 million or 3% of total worldwide annual turnover, early and structured engagement with these obligations is strongly recommended.
